[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Automating signing of DKMS modules with machine owner key

On Aug 04 2020, Jeremy Stanley <fungi@yuggoth.org> wrote:
> Okay, so for systems to which a malicious party may gain physical
> access (or remote console access) there's sort of a third risk this
> addresses. A special case of the second risk really. *If* you're
> also encrypting the filesystem on which that signing key resides
> (via LUKS or similar) then this might keep you safe from someone
> with access to replace the kernel or initrd on the unencrypted boot
> partition... but only if they can't unlock the decryption key for
> the FS which holds the signing key of course.

Wouldn't such an attacker simply modify the (necessarily unencrypted)
initrd such that it stores the decryption key for the attacker the next
time you enter it?

Best,
-Nikolaus

-- 
GPG Fingerprint: ED31 791B 2C5C 1613 AF38 8B8A D113 FCAC 3C4E 599F

             »Time flies like an arrow, fruit flies like a Banana.«
Reply to: